What’s so special about the letter S? It’s one of the most frequently used letters in the English language, a regular sponsor of Sesame Street, and is so common that Vanna White automatically selects it for contestants during the Wheel of Fortune’s final round. Pretty standard stuff. But for website managers and enterprise security administrators, and everyone who visits their organizations’ web sites, it’s about to become the most important letter of the alphabet.
Soon, you won’t be able to reach many popular websites without adding an “s” at the end of “http” in the address bar. This assures visitors using any web browser that a page leverages the security protocol known as Transport Layer Security (TLS) – formerly Secure Sockets Layer (SSL) – cryptographic protocols that provide communications security over a computer network. Put simply, it shows that encryption is in place between the server and the user’s browser.
The SSL protocol is stronger now than ever because of the research and improvements made by member organizations of the Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security. HTTPS is an example of the CASC’s on-going efforts to earn the trust of customers and all users and improve internet security.
Website managers should be aware of the six key ways this will affect users’ experiences and interactions with their sites:
1. Clear, visible warnings: Web browsers will use visual cues to alert users of non-https connections. For example, Google Chrome will highlight insecure pages with a red slash in the address bar. They will also warn if an insecure page asks for a password or credit card by showing the words “Not Secure”. Firefox plans a similar warning for sites requesting passwords. In the future, both will transition from an information warning to a red triangle which is more noticeable.
2. Access to powerful features: Chrome will only be available over https. Services like Geolocation, Device Motion/Orientation, Full screen mode, DRM and more are strictly limited to https connections. Websites that need these features will have to implement SSL/TLS to utilize them.
3. Better, stronger, faster: http2 will replace the long-time standard http. It’s much faster, which enables a more enjoyable and efficient user experience, while also strengthening the user’s and company’s security postures. This is supported by Chrome, Firefox, Internet Explorer, Safari and Opera will only support http2 over https. So as websites migrate to the speedier http2, they must use SSL/TLS.
4. Leveraging referrer data: Website managers strive to draw visitors from other sites via referrals. Moving forward, seeking referrer data from other sites will require the use of https. Without https, the destination sites won’t know who is coming to their site.
5. New-look Gmail: Users of the popular email client will now see an open lock icon that indicates an insecure connection is used by depicting an open lock in the Gmail user interface. Email servers that use certificates to encrypt mail server to mail server data don’t show an open lock and detail the type of encryption used.
6. Everywhere you look: Many sites have already made the transition to https, including Google’s Blogspot and Analytics, Reddit, Flickr, Wikimedia, WordPress, Bitly and Shopify. The U.S. Government requires all sites under the .gov domain must be https by the end of this.
The move to https requires web site managers to make decisions concerning buying, installing, and using certificates. The CASC recommends acquiring a certificate that is trusted by browsers rather than using a self-signed certificate. Extended Validation (EV) certificates are the gold standard because the organization information they contain is rigorously validated with multiple checks that give a high degree of confidence that the information contained in the certificate is accurate.
When purchasing a certificate, look at the number of domains it covers. There are three categories: single domain, multiple domain and wildcard. Single domain certificates are by far the most common, covering a single website such as https://www.example.com. Multiple domain are appropriate for use with multiple related sites that all run on one server. Wildcard certificates support cases where multiple subdomains run on the same server and are used by the same business.
Finally, when choosing, the key size of the certificate when generating the certificate signing request (CSR), the CASC recommends using a 2048-bit RSA key size.
As we head into the frantic holiday shopping and travel season, web site managers must prioritize their efforts to secure their sites with the up-to-date certificate. Nothing will drive a consumer away from your web site and to a competitor’s than a red “X” in the browser address bar.